By Drupal Security Team on

Description

Two modules are being unsupported due to cross site scripting issues.

The Juitter module enables you to use Juitter, a jQuery plugin, to put live Twitter search results on your site. The Juitter module contains a cross site scripting (XSS) vulnerability that can be exploited when setting up the module or translating the module's text strings. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer juitter settings" or be able to translate text strings.

The Download Count module tracks downloads of files from a site. The Download Count module contains a cross site scripting (XSS) vulnerability. This vulnerability is mitigated by the fact that an attacker must have a role with the permission "administer download count".

Versions affected

  • Juitter module: 6.x-1.3
  • Download Count module: 6.x-1.x, 6.x-2.x

Drupal core is not affected. If you do not use the contributed Juitter - jQuery Twitter live search feeds or the Download Count module, there is nothing you need to do.

Solution

Disable the Juitter module and remove the module from your filesystem. There is no fixed version of the Juitter module available.

Disable the Download Count module and remove the module from your filesystem. There is no fixed version of the Juitter module available.

See also the Juitter - jQuery Twitter live search feeds project page and the Download Count project page .

Reported by

Fixed by

These modules have not been fixed, please disable and remove the module from your file system.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Categories: Drupal 6.x